Http-probing ban occuring for url which is in a whitelist

I have a file called /etc/crowdsec/parsers/s02-enrich/whitelist_failed_download.yaml which contains

name: whitelist_failed_download
description: "Whitelist failed download"
   reason: "404 download trigger FP"
   - "evt.Meta.http_status == '404' and (evt.Parsed.request contains '/downloads/' or evt.Parsed.request contains '/updates/')"

This should allow machines to try and download files which don’t exist. We have a system which tries to download a file based on the machine name. If its there it downloads and updates, if not, it just continues on. It generates 404 errors all the time.

Typing ‘cscli decisions list’ I can see that a client of ours is currently banned due to ‘crowdsec/http-probing’
If I type ‘cscli alerts inspect -d <id>’ it displays me a list of alerts and the related http-path. The path is /Downloads/

The difference being my whitelist contains /downloads and the machine is trying to download from /Downloads

But, this is running on a proxy which fronts a site on IIS and IIS doesn’t care about the case of urls.
My haproxy config doesn’t pay any attention to the url casing.

Is crowdsec case sensitive when matching whitelist rules? Can I set it to not be case sensitive?

I’ve tried searching case sensitivity on the site without finding anything. Maybe its referred to differently?


By default rules are sensitive. You can use a helper such as upper to avoid this kind of issues :slight_smile:

Perfect. Thank you.

I think the words ‘case sensitivity’ need to be added to the documentation somewhere or other with a link to the Upper function.